Find Bugs

Finding bugs Bug patterns Conclusions

Bugs in software Using Static Analysis to Find Bugs
David Hovemeyer
Programmers are smart people We have good techniques for nding bugs early: Unit t
esting, pair programming, code inspections So, most bugs should be subtle, and r
equire sophisticated
analysis techniques to nd
Right?
April 28, 2005 CMSC 433
David Hovemeyer Finding bugs Bug patterns Conclusions
Using Static Analysis to Find Bugs
Apache Ant 1.6.2,
org.apache.tools.ant.taskdefs.optional.metamata.MAudit if (out == null) { try {
out.close(); } catch (IOException e) { } }
Eclipse 3.0.1, org.eclipse.update.internal.core.Con guredSite
if (in == null) try { in.close(); } catch (IOException e1) { }
Eclipse 3.0.1,
Eclipse 3.0.1,
org.eclipse.jdt.internal.debug.ui.JDIModelPresentation if (sig != null || sig.le
ngth() == 1) { return sig; }
org.eclipse.jdt.internal.ui.compare.JavaStructureDi Viewer Control c= getControl()
; if (c == null && c.isDisposed()) return;
David Hovemeyer
David Hovemeyer

JBoss 4.0.0RC1, org.jboss.cache.TreeCache
int treeNodeSize=fqn.size(); if(fqn == null) return null;
One more...
J2SE version 1.5 build 63 (released version),
J2SE version 1.5 build 63 (released version),
java.lang.annotation.AnnotationTypeMismatchException public String foundType() {
return this.foundType(); } Written by Josh Bloch, author of E ective Java
java.lang.annotation.AnnotationTypeMismatchException public String foundType() {
return this.foundType(); } Written by Josh Bloch, author of E ective Java
Bug- nding tools and techniques
Where is the low-hanging fruit?
Bug-driven research: start by looking at Much research has been done on static p
rogram analysis
techniques to nd bugs
Recent research has moved towards increasingly more
real bugs, then think of ways to nd similar bugs
Using simplest possible analysis
sophisticated analysis techniques
Our question: what bugs can be found using simple analysis
techniques Try bug nders on real software Result: we found a surprising number of
techniques?
obvious bugs in production software
David Hovemeyer

David Hovemeyer

Talk overview
In this talk I will
Discuss ways to nd bugs in software Demonstrate that simple static analysis techn
iques can nd
Finding bugs in software
lots of bugs in real software
Testing
Code inspection
Run the program, see if it behaves correctly Limitations: Error handling code is
di cult to test Threading bugs can be very hard to reproduce Test sca olding is tim
e-consuming to create
Manually examine source code, look for bugs Limitations: Labor intensive Subject
ive: source code might appear to be correct when it is is not
Can you spot the typo in this slide? People have similar blind spots reading sou
rce code
Code inspection
Static analysis
Manually examine source code, look for bugs Limitations: Labor intensive Subject
ive: source code might appear to be correct when it is is not
Can you spot the typo in this slide? People have similar blind spots reading sou
rce code
Idea: automated code inspection Use a program to analyze your program for bugs A
nalyze statements, control ow, method calls Advantages over testing and manual co
de inspection: Can analyze many potential program behaviors Doesnt get bored Rela
tively objective
David Hovemeyer
David Hovemeyer

Limits of static analysis
Approximating towards completeness
Nontrivial properties of programs are undecidable
We could design a bug- nding analysis so that it always
Does program P have bug X ? Can program P reach state X ? Halting problem
Static analysis can (in general) never be fully precise, so it
overestimates possible program behaviors
Never misses a bug, but might report some false warnings Problem: the analysis m
ay report so many false warnings that
the real bugs cannot be found!
Trivial version: report a bug at every point in the program
must approximate the behavior of the program
Approximating towards soundness
Heuristic analysis
A static analysis to nd bugs does not need to be consistent We could design a bug
- nding analysis so that it always
in its approximations
Neither complete nor sound: miss some real bugs, and report
underestimates possible program behaviors
Never reports a false warning, but might miss some real bugs
some false warnings This gives the analysis more
Problem: analysis may not
report any warnings
exibility to estimate likely
nd as many bugs as we would like Trivial version: never
program behaviors
May allow the analysis to be more precise in general
Using Static Analysis to Find Bugs Background Example bug patterns
Practical issues
Say your program has 100 real bugs Would you rather use A tool that nds all 100 b
ugs, but reports 1,000,000 warnings A tool that nds only 25 bugs, but reports 50
warnings Using a bug- nding tool must be a productive use of the
Bug patterns
developers time
No useful tool will
nd every bug
David Hovemeyer
David Hovemeyer

Background Example bug patterns
Bug patterns
The FindBugs tool
Not all bugs are subtle and unique Many bugs share common characteristics A bug
pattern is a code idiom that is usually a bug Detection of many bug patterns can
be automated using simple analysis techniques
We have implemented automatic detectors
for about 100 bug patterns in a tool called FindBugs
Open source http:// ndbugs.sourceforge.net
Analyzes Java bytecode
Java bytecode
Bytecode example
Compiling and running a Java program: 1. Source code compiled to class les contai
ning bytecode 2. Bytecode executed by the Java virtual machine (JVM) Bytecode is
the machine language of the JVM Stack-based: Most bytecode instructions work by
pushing values onto or consuming values from the operand stack Local variables
are used for method parameters and longer-lived values
They are analogous to CPU registers
public class Hello { public static void main(String[] args) { System.out.println
("Hello, world"); } } getstatic ldc invokevirtual return #2; //Field System.out
#3; //String "Hello, world" #4; //Method PrintStream.println(String)
Bytecode analysis techniques
Implementation techniques used in FindBugs: Examine class hierarchy
Find methods implemented or overridden improperly Easy to implement, very accura
te for nding some kinds of
bugs Linear bytecode scan Use a state machine to search for suspicious instructi
on sequences Can nd bugs involving short code sequences Data ow analysis Symbolical
ly execute methods (keeping track of values) Look for places where values are us
ed in a suspicious way
Example bug patterns
David Hovemeyer
David Hovemeyer

What is wrong with this class?
What is wrong with this class?
public class Person { private String firstName, lastName; public boolean equals(
Person other) { return this.firstName.equals(other.firstName) && this.lastName.e
quals(other.lastName); } }
public class Person { private String firstName, lastName; public boolean equals(
Person other) { return this.firstName.equals(other.firstName) && this.lastName.e
quals(other.lastName); } }
Covariant equals
What is wrong with this code?
When de ning an equals() method, the parameter must be of
type Object
Otherwise it doesnt override the equals() method in the base
From JBoss 4.0.0RC1 if (!enabled) { log.debug("Disabled, waiting for notificatio
n"); synchronized (lock) { lock.wait(); } }
Object class Why is this bad? Container classes (like hash tables) need to use e
quals(Object) A covariant equals() method wont be called Found: 15 cases in core
Java 1.5 libraries, 4 in Eclipse 3.0, 2
in JBoss 4.0.0RC1
Unconditional Wait
Unconditional Wait
David Hovemeyer

David Hovemeyer

Unconditional Wait
Unconditional Wait
Unconditional Wait
Unconditional Wait
Unconditional Wait
Unconditional Wait
David Hovemeyer
David Hovemeyer

Correct code to wait on a condition
Detecting Unconditional Wait
Idea: Correct code for waiting on a condition:
synchronized (lock) { Acquire lock if (!condition) { Check condition lock.wait()
; Wait for noti cation } }
Lock must be held while checking condition and waiting Otherwise the noti cation c
ould be missed
If lock acquisition is immediately followed by a wait, the condition was probabl
y checked without the lock held
Look for sequence containing instructions: monitorenter invokevirtual Object.wai
t() No branches between acquiring lock and waiting imply
presence of bug
Found 3 real bugs in core Java 1.5 libraries, 2 in Eclipse 3.0, 2
in JBoss 4.0.0RC1
From JBoss 4.0.0RC1 public String getContentId() { String[] header = getMimeHead
er("Content-Id"); String id = null; if( header != null || header.length > 0 ) id
= header[0]; return id; } This one was fairly obvious
From JBoss 4.0.0RC1 public String getContentId() { String[] header = getMimeHead
er("Content-Id"); String id = null; if( header != null || header.length > 0 ) id
= header[0]; return id; } This one was fairly obvious
Null pointer dereferences
Data ow analysis
Some null pointer deferences require sophisticated analysis to
nd
Analyzing across method calls, modeling the contents of heap
objects We have seen many examples of obvious null pointer
dereferences:
Values which are always null Values which were null on some control path
At each point in a method, keep track of data ow facts E.g., which local variables
and stack locations might contain null Symbolically execute the method: Model i
nstructions Model control ow Iterate until a xed point solution is reached
How can we construct an analysis to nd obvious null pointer
dereferences?
David Hovemeyer
David Hovemeyer

Data ow values
Meet example
Model values of local variables
and stack operands using lattice of symbolic values When to control paths merge,
use meet operator to combine values
This is the greatest lower bound
Null
Null = Null
of the values
Meet example
Null-pointer data ow example
Null
Not null = Maybe null
David Hovemeyer
David Hovemeyer

Conclusions
There are more obvious bugs lurking in Java code than most
people realize
Static analysis can
an be found using
nd many of these Lots of interesting properties of programs c
static analysis
Very active research area Starting to be widely adopted in practice The compiler
course is still relevant!
David Hovemeyer
David Hovemeyer

Find Bugs

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Find Bugs

Загружено:

Авторское право:

Доступные форматы

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

Using Static Analysis to Find Bugs

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

exibility to estimate likely

nd as many bugs as we would like Trivial version: never

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

Using Static Analysis to Find Bugs

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

Finding bugs Bug patterns Conclusions

nd many of these Lots of interesting properties of programs c

Вам также может понравиться